ES version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
52% Positive
Analyzed from 4869 words in the discussion.
Trending Topics
#extension#json#extensions#chrome#more#source#https#should#don#google
Discussion (135 Comments)Read Original on HackerNews
> FWIW, and since a few of you probably use it… I own the JSON Formatter extension [0], which I created and open-sourced 12 years ago and have maintained [1] ever since, with 2 million users today. And I solemnly swear that I will never add any code that sends any data anywhere, nor let it fall into the hands of anyone else who would. I’ve been emailed several tempting cash offers from shady people who presumably want to steal everyone’s data or worse. I sometimes wish I had never put my name on it so I could just take the money without harming my reputation, but I did, so I’m stuck with being honourable. On the plus side I will always be able to say that I never sold out.
https://news.ycombinator.com/item?id=37067908
> I am no longer developing JSON Formatter as an open source project. I'm moving to a closed-source, commercial model in order to build a more comprehensive API-browsing tool with premium features.
Well, all the big tech corps done the same. Nothing to see here. OSS needs proper funding infrastructure. Which all the big players shit on. So, I can't judge him on that. His work, his time.
At the end of the day the small amounts are the real thank you and biggest driver for the work you put into something.
This distills down to: "I don't want to be honourable." They signaled right from the beginning.
https://chromewebstore.google.com/review-reply/b4a787df-64e5...
> Give Freely is not spyware/adware or any kind of 'scam'. It's an optional donation appeal that asks you (if you happen to visit a retailer which happens to be a Give Freely partner) to click a button to donate unclaimed affiliate fees, with most of the money going to Code.org or another charity of your choice. I've met the Give Freely team and trust them. It does not collect any PII or browsing activity, and it doesn't overwrite other affiliate/voucher codes so it never costs you anything. If you find the donation popup too intrusive/annoying you can disable it forever in the extension options, or in the donation popup itself.
> Code.org is a good cause that's relevant to a lot of the same people who use this extension regularly, and clicking a Give Freely donate button is a genuinely free and anonymous way to show your support for both, if you want to. If you don't like it you can turn it off, or if it makes you more comfortable you can switch to JSON Formatter Classic, which has no Give Freely code and corresponds with the v0.8 branch in my archived json-formatter GitHub repo. Or try one of the many forks or alternatives available on the store.
> JSON Formatter Classic: https://chromewebstore.google.com/detail/json-formatter-clas...
In the case of small browser extensions from individual developers, I think the tradeoff is such that you should basically never allow auto-updating. Unfortunately Google runs a Chrome extension marketplace that doesn't work that way, and worse, Google's other business gives them an ideology that doesn't let them recognize that turning into adware is a transgression that should lead to being kicked out of their store. I think that other than a small number of high-visibility long-established extensions, you should basically never install anything from there, and if you want a browser extension you should download its source code and install it locally as an unpacked extension.
(Firefox's extension marketplace is less bad, but tragically, Firefox doesn't allow you to bypass its marketplace and load extensions that you build from source yourself.)
It's less than ideal but you can 1) load extensions temporarily in about:debugging, 2) turn off xpinstall.signatures.required in nightly or dev edition to install them for good or 3) sign on addons.mozilla.org without publishing to the marketplace.
Will see if I get time to do so.
The go binary would be downloaded automatically and silently periodically. I tried to fight it for a while but at some point he added checks (!) to ensure that nobody was blocking his RCE model. Meaning it would no longer run on one of my partially air gapped system.
I moved on, but many other software behave that way.
Most chromium-based browsers will show a big scary and permanent button if they can't update, for example.
Vivaldi which I use thankfully doesn't do that. At least on macOS it uses the common Sparkle updater, which would pop up a window in your face when you least expect it telling you that an update is available, showing a changelog and letting you decide when and whether to install it.
Even though it is an interruption, it's still much more respectful than what Chrome does. It insists on running a background service at all times and the only way I was able to neutralize it was to delete its .plist file and create a directory with the same name.
This is how updates are now. Sure, there are sometimes some security updates that you should have installed. But more often than not it's just some bullshit I don't want.
I just did this for all extensions I have in Firefox. Not sure about extensions like uBlock though? Doesn't it fetch new lists of sites to block or something like that? Or is that done separately from updates?
It's done separately from updates.
I also disable auto updates for extensions and I keep extensions that I don't need daily installed but disabled.
It's annoying that firefox doesn't have a "Update all" button but clicking manually on a handful of extensions once a month isn't that much of a chore :shrugs:.
Turns out about a month ago, the popular open source [JSON Formatter chrome extension](https://chromewebstore.google.com/detail/json-formatter/bcji...) went closed source and started injecting adware into checkout pages. Also seems to be doing some geolocation tracking.
I didn't see this come up on hn, so I figured I'd sound the alarm for all the privacy-conscious folks here.
At this point, I feel like browser extension marketplaces are a failed experiment. I can just vibecode my own json pretty-printer extension and never deal with this problem again.
They have an API basically dedicated to this: https://developer.chrome.com/docs/extensions/reference/api/d...
I think you may have been confused about the Manifest V3 API changes, which were controversial because they didn't support every feature of the old API. The mainstream ad blockers all wrote new versions for Manifest V3.
Injecting ads will get you removed from the extension store if caught, while adblockers are advertised on the front page of the store.
Did the JSON formatter with ads get kicked out of the extension store yet?
[1] https://arstechnica.com/gadgets/2024/08/chromes-manifest-v3-...
People rightly criticize all of the problems around vendor-lock-in and rent-seeking with platform app stores, but this is a good example that they do indeed provide some value in terms of filtering out malware.
The degree to which they are successful at that and add enough value to overcome the downsides is an open question. But it's clear that in a world where everyone is running hundreds of pieces of software that have auto-update functionality built in and unfettered access to CPU power and the Internet, uncontrolled app stores a honeypot for malicious actors.
AI companies make use of these botnets quite a bit as well. Why don't we hear more about it? because it is really really really hard to inspect what is actually happening on your phone. This post actually kinda disproves that the closed rent seeking model is better in any way.
But browser extension marketplaces aren't a free-for-all; they're exactly like the platform app stores in all the bad ways.
The vendors are the ones who built it in!
I'm wondering when/if this is going to bite me in the butt
I agree that browser extension marketplaces are a failed experiment at this point. I used to run security an a fin services company, and our primary app had very strict Content Security Policy rules. We would get tons of notifications to our report-uri endpoint all the time from folks who had installed extensions that were doing lots of nefarious things.
Maybe we should resort to blame and shame publicly this sort of actions. DDoS their servers, fill their inbox with spam, review-bomb anything they do. Public court justice a la 4chan trolling. Selling out is a lawful decision, of course, but there is no reason it shouldn't come with a price tag of becoming publicly hated. In fact, it might help people who are on the verge to stay on the ethical side of things (very ironically).
I'm just kinda joking (but wouldn't hate it if I was rugpulled and the person that did it got such treatment)
(I used to do a lot of web development and probably know dev tools better than most people here. However I almost never look at the DOM of a webpage I don't own)
„What do you do all day?“
„Looking at the DOM. Currently there are too many divs, but the situation seems fine.“
You don't?
https://news.ycombinator.com/newsguidelines.html
Reading other comments, I noticed that this was a legitimate question.
[0] https://github.com/extesy/hoverzoom/discussions/670
Here's what it can look like to an author of a popular extension:
https://github.com/extesy/hoverzoom/discussions/670
> To provide a more tangible example, Chrome Web Store currently has Blaze VPN, Safum VPN and Snap VPN extensions carry the “Featured” badge. These extensions (along with Ishaan VPN which has barely any users) belong to the PDF Toolbox cluster which produced malicious extensions in the past. A cursory code inspection reveals that all four are identical and in fact clones of Nucleus VPN which was removed from Chrome Web Store in 2021. And they also don’t even work, no connections succeed. The extension not working is something users of Nucleus VPN complained about already, a fact that the extension compensated with fake reviews.
[1] https://palant.info/2025/01/13/chrome-web-store-is-a-mess/
https://github.com/wesbos/JSON-Alexander
https://github.com/callumlocke/json-formatter/commit/caa213d...
Someone on Twitter noticed it pretty quickly, considering:
https://twitter.com/devinsays/status/2012195612586914143?mx=...
Extensions which ask for all URLs should really be subjected to more thorough reviews.
I won't share it because I'm sure it leaves much to be desired (and you can recreate it in 2 minutes), but it makes me wonder how much room there is for rugpulls like this when people can just replace the tech with something that doesn't have adrot.
I only found out because Mozilla forced an uninstall with a warning and then I had to go down Bugzilla to find the impact (it leaked browser visit URLs).
> you just want a simple, open source, local-only JSON-formatting extension that won't receive updates.
Wow that sounds like a tough choice. JSON formatting is moving at such a fast pase that I don't know if I should pay a JSON formatting SaaS a monthly subscription, or if I really can live without updates.
HODL
I mean good luck to that guy. Everyone should have a shot at turning his free work into something worth it. I think i've been using that extension as well. But yeah, i never cared enough to know if it was this one. But i do hope there are others who did & he can surprise me and turn this user base into customers of a commercial product. If he pulls that of, i'd be truly impressed.
Chat with your json?
Facebook but for jsons?
Send json to blockchain?
It's so bad that it's exciting, can't wait for an update.
I just hope the authors of the "Go Back With Backspace" extension (now in version 3.0) I critically rely on ever since Chrome sold out will not betray me. It needs access to all sites, which as someone above mentioned is because of the great design of the new Extension Manifest API thingy.
It's far from ideal, but I've been meaning to start using one personal meta-extension so I can have ctrl-d on Grok delete the next character, do my own custom readability overlays, and other stuff that comes to mind. It would have a clear association between sites and customizations, and possibly sandboxed code (e. g. WebAssembly).
Does the Chrome Web Store have any reputation left at this point? I don't know how much lower its reputation can go.
Quarantined - PUP.Optional.Hijacker. C:\USERS*\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BCJINDCCCAAGFPAPJJMAFAPMMGKKHGOA
wondered what the extension was... JSON Formatter
Now I know what would have happened if I had accepted.
The chrome team does not seem to see security as a high enough priority.
Hey William, thanks for flagging this! We were experimenting with analytics to help us identify crashes and improve stability. We've rolled this back in v2.1.17, which is now live and being rolled out. Going forward, we'll ensure any analytics collection is clearly disclosed. Thanks again!
https://chromewebstore.google.com/detail/json-formatter/gpmo...
Darn…
and I thought that the JSLibCache extension was forcing every site into UTF-8 mode (even those that need to run with a legacy codepage) was a critical issue. A problem I encountered yesterday… took me a while to figure out too.
If basically any worthwhile extension can be silently updated to inject <script> tags anywhere, then it's time to call this a failed experiment and move on. Bake UBlock and password-management APIs into the browser. Stop the madness.
The amount of absolute clusterfuckery in browser extensions is endless. One of the biggest issues is with how extensions define their permissions and capabilities in their manfiest.json files. I've reviewed thousands of these now, and probably only 5-10% of extensions actually get it right. There are just so many confusing and overlapping permissions, capabilities, etc.
It is a failed experiment, but I don't think Google can just shut it off, because of their market dominance. They'd be disconnecting some of their competitors from their users. They need to move to an updated manifest spec that is (more) secure by default, has fewer footguns, etc.
They tried to do this and people got very upset at them trying to kill adblockers.
- "It can: Read and change all your data on all websites"
It's not alarming sounding enough for what that implies, but "it can trigger requests under its control" seems fairly obvious from that. The permission it uses to inject ads can be used to inject ads (or block them).
Why a JSON formatter needs any permission at all is something anyone installing it should be asking themselves.
---
This is not meant to imply that I think the permission model of extensions in chrome or firefox is good, clearly it is not. But it's significantly better and more fine-grained than every single other widely-used permissions system in consumer apps. Ideally there should be more carve-outs for safe niches like a "read a JSON file, rewrite it into something that does not need javascript or external resources" could use, but also that kind of thing is likely to be nigh impossible to make "complete".
This ends up being significantly worse than any other widely-used permissions system, because injected scripts act as the website, not the extension. If you've already granted location permission to a website, then it is effectively granted to the extension. There is no other ecosystem that works like this.
And to do basically anything worthwhile, including certain types of content blocking, you need this God permission that essentially disables the WebExtension permissions system. This should never have been greenlit in the first place.
Yeah, I don't like this phrasing either, I think it downplays the risk to a dangerous degree (which is "it can see and do literally anything on any site you visit", which is GIGANTIC). It's one of the worst permissions to request, but it doesn't look like it.
But other permissions systems don't have per-site controls, or the ability to turn things off until activated, or isolate everything, or... the list is huge, others generally have permissions like "can access this folder [and others we haven't told you] [and folders you give it access to, which you can't revoke later https://news.ycombinator.com/item?id=47719602] [and only for applications which opt into this, normal ones can do anything anywhere any time]...." which is much worse.
1. Access to the page DOM to read the raw JSON content.
2. Permission to modify the DOM to display the formatted results.
Unfortunately, these requirements necessitate broad host permissions, which allow an extension to inject ads or track user behaviors. There is no alternative way to define a strict security boundary that allows these specific permissions while preventing abuses.
Maybe you're right, and there isn't. Does it not follow that we should probably require extensive review and open-source reproducible builds before allowing any such extension on the browser extension stores?
https://support.google.com/chrome/answer/7632919
I'm confused why this extension still exists I guess, and definitely too spooked out to even bother looking.
It was an effective hack. I'd wasted 3+ hours jumping through hoops to get access to some basic service and was running into one hurdle after another... Then I got to a point that I wanted to scan a QR code from an old screenshot and so I opened my trusty QR code app to navigate to the website but when I opened the app; it wouldn't let me scan as usual; instead, there was a legit-looking update button on the page saying I needed to update the app; it was shown as part of the app interface itself (not some side ad). After 3 hours of running into a deep recursive rabbit hole with one hurdle after another, I was at my wit's end... I needed to read that QR code NOW! This was one hurdle too many which I didn't have the energy to even think about! I was too busy thinking about the other 4 layers of nested issues which I was trying to unwind myself out of! And so my muscle memory kicked in and hit the update button! Then BAM! Even before my system 2 thinking kicked in (to remind me that updates should be done through the app store), within a second or two, a message flashed on the screen and I knew my phone had been hacked. I noticed later that I received a whole bunch of extortion emails.
Thankfully, I never put anything sensitive on my phone. I treat it as a public space. I wasn't logged into any session on any app at the time. I immediately did a factory reset of my phone and changed all my passwords just in case. But damn, that was an effective hack! I trusted this app for 5 years and it betrayed me in a fraction of a second! This was surprising for me as I'd never been hacked before. It showed me how even someone who fully understands the tech can be hacked if caught at the right time in the right situation.